1

We recently has a security consultant take a look at our application built using vaadin. We are still on version 6. Following are the advices given to implement

  • "X-Frame-Options" in the header.
  • Content-Security-Policy:script-src'self
  • X-Content-Type-Options:nosniff
  • X-FrameOptions:SAMEORIGIN
  • Configure web server to include response header-X-XSS-Protection:1;mode=block

My question is, considering vaadin pays attention to security, how does vaadin cope with this situation?

on oficial documentation of vaadin for 6 version there is no information available. Also found this solution , but not sure, it will work or not. Also on vaadin forum there is no solution thread availble for this.

Amol Bais
  • 332
  • 1
  • 6
  • 30

1 Answers1

3

Those headers are not directly within Vaadin's sphere of influence. Vaadin could in theory add such headers to responses that it manages, but there are also some scenarios when some of them wouldn't be appropriate which is why they aren't added by default.

For that reason, I would recommend that you configure your hosting environment (e.g. load balancer or application server) to include the header values that you want in all relevant responses. Another alternative is to create a simple Servlet Filter that adds the headers. A variation of that is described in the answer that you linked to.

Leif Åstrand
  • 7,820
  • 13
  • 19